Package: jabberd2 Version: 2.4.0-3 Severity: grave Tags: security Justification: user security hole
During investigation of some issue on my local jabber server I've found plenty of records like these in my c2s.log: Mon Jul 3 20:06:21 2017 [notice] [150] ANONYMOUS authentication succeeded: bf719de629033bbf9c6c1aecec590aa8928c9...@my-server.com 195.208.220.171:55481 TLS Mon Jul 3 20:07:01 2017 [notice] [166] ANONYMOUS authentication succeeded: bcb1ccc187a88c4d61f5ef14516fc6e69e94c...@my-server.com 62.76.74.249:51574 TLS Mon Jul 3 20:08:20 2017 [notice] [169] ANONYMOUS authentication succeeded: 4349fd92ecf35ac14cd71d9c5133f014a1cf3...@my-server.com 195.208.220.171:55722 TLS and I did not allowed such auth type and usage scenario for my server. Latest news on https://github.com/jabberd2/jabberd2/releases told me that was a bug, and it's fixed: https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16.patch This bug allows unauthorized usage of jabberd2 server installations and can possibly lead to a DoS. I've patched my version of jabberd2 from stable with the patch above, and prepared one for Debian. -- System Information: Debian Release: 9.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968), LANGUAGE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages jabberd2 depends on: ii adduser 3.115 ii init-system-helpers 1.48 ii libc6 2.24-11+deb9u1 ii libdb5.3 5.3.28-12+b1 ii libexpat1 2.2.0-2+deb9u1 ii libgsasl7 1.8.0-8+b2 ii libhttp-parser2.1 2.1-2 ii libidn11 1.33-1 ii libldap-2.4-2 2.4.44+dfsg-5 ii libmariadbclient18 10.1.23-9+deb9u1 ii libpam0g 1.1.8-3.6 ii libpq5 9.6.3-3 ii libsqlite3-0 3.16.2-5 ii libssl1.0.2 1.0.2l-2 ii libudns0 0.4-1+b1 ii zlib1g 1:1.2.8.dfsg-5 jabberd2 recommends no packages. jabberd2 suggests no packages. -- no debconf information
Fix a bug allowing anyone to authenticate using SASL ANONYMOUS, even when sasl.anonymous c2s.xml option is not enabled. Original patch: https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16.patch --- a/c2s/main.c +++ b/c2s/main.c @@ -562,6 +562,8 @@ mechbuf[sizeof(mechbuf)-1]='\0'; for(i = 0; mechbuf[i]; i++) mechbuf[i] = tolower(mechbuf[i]); + log_debug(ZONE, "sx sasl callback: check mech (mech=%s)", mechbuf); + /* get host for request */ host = xhash_get(c2s->hosts, s->req_to); if(host == NULL) { --- a/sx/sasl.c +++ b/sx/sasl.c @@ -328,7 +328,7 @@ if(mech != NULL) { _sx_debug(ZONE, "auth request from client (mechanism=%s)", mech); - if(!gsasl_server_support_p(ctx->gsasl_ctx, mech)) { + if(!gsasl_server_support_p(ctx->gsasl_ctx, mech) || (ctx->cb)(sx_sasl_cb_CHECK_MECH, (void*)mech, NULL, s, ctx->cbarg) != sx_sasl_ret_OK) { _sx_debug(ZONE, "client requested mechanism (%s) that we didn't offer", mech); _sx_nad_write(s, _sx_sasl_failure(s, _sasl_err_INVALID_MECHANISM), 0); return;